AndroidPolice (via full-disclosure) have detailed an issue with recent HTC phones (I own one). HTC has new tools that allow for a wide range of logging. These logging features (and resultant logs) are horribly secured, leaving pretty much any app able to harvest this information.
Things like this underscore three small points.
1. There’s been recent hand-wringing about pessimism in security. But it’s things like this, either a priori, or just by being more security-conscious and exposing these things, that really reveals why we are a bit less cheerful. Is it pessimistic just because I know about shoddy code and a vulnerability like this, and likewise would I be more optimistic if I wallowed in ignorance? It’s like not liking strippers as much because you’ve seen them in the back room with their make-up off and holes in their underwear.
2. The lack of initial response from HTC, but then subsequent response and offering of a patch when things go public illustrates the challenge security has, especially when we’re talking things that are so ubiquitous as a cell phone (ok, smartphone) and in use not just in IT circles, but in consumerland. The fact that crap like this even happens is enough to cause an extra drink or two a night. I really believe there are far more people than I’m comfortable with thinking about who will bend and/or break rules and do as little as possible as long as they have a decent chance of not being exposed; part of what I’ll always call the Security Gamble.
3. Why is there this loggingi n the first place? I can only think of three reasonable things. First, compliance with law enforcement initiatives. Second, marketing to gain more information on users and use that for revenue generation. Third, support for when things go wrong, or to improve the product after crashes and such. I firmly believe in the first item, shrug at the second, and sort of doubt the third as being way too proactive for most orgs.
I also think this continues to illustrate why smartphones just can’t last forever and how unmanagable and unscalable they are as technological devices. Keeping up with apps and the underlying security and usefulness and minimizing the frustration is just not going to get better. Sure, they’re smaller (handheld) and it’s easier (cheaper) to buy apps and have them auto-install, but that’s only successful for today because those are improvements over just 2 pieces of the desktop/laptop experience. There is still the quagmire of user garbage that accumulates on these devices that causes just as much frustration with them as any previous computing device.